Prices
Free Trial

NIS2 Cyber Hygiene and Cybersecurity Training

A fundamental requirement of the NIS2 is to make sure that all employees have knowledge of best cybersecurity practices and receive proper cybersecurity training. 

Table of Contents

A fundamental requirement of the NIS2 is to make sure that all employees have knowledge of best cybersecurity practices and receive proper cybersecurity training

Cyber Hygiene

Your organisation must maintain an appropriate level of cybersecurity by implementing fundamental measures and training employees in best practices.

Requirement

Your organisation must ensure that basic cyber hygiene practices are implemented and based on the information system security policy. Cyber hygiene covers the essential measures, daily routines, practices, and procedures that protect your networks, systems, and data against common threats. 

This includes a set of fundamental measures such as:

  • preparing a minimum set of basic security policies,
  • regularly backing up relevant data, testing the backups (integrity checks), and testing the restore procedures,
  • planning capacity and resources (staff and IT resources) to avoid bottlenecks,
  • developing an incident response plan,
  • regularly assessing the cybersecurity of your IT supply chain,
  • creating risk-based service level agreements (SLAs) with suppliers and service providers,
  • regularly patching and updating operating systems and applications,
  • installing and updating anti-malware software on relevant assets,
  • segmenting networks according to the criticality of assets,
  • carrying out automated vulnerability scans regularly,
  • performing regular security tests,
  • building a culture of cybersecurity awareness through regular user training,
  • encrypting data at rest and in transit in line with asset classification levels,
  • restricting administrative rights,
  • enforcing strong passwords,
  • using multi-factor authentication in line with asset classification levels,
  • limiting network ports and services to what is strictly necessary for business needs,
  • keeping an up-to-date inventory of hardware and software assets,

Many of these cyber hygiene practices would already be implemented if you follow our guide to implementing the NIS2 minimum requirements.

Documentation

You must document your cyber hygiene practices.

Cyber Security Training

All employees doing work in relation to your organisation’s delivery of critical services must be aware of relevant security risks, receive appropriate training, and apply common cyber hygiene practices.

Requirements

Your organisation must have a corporate policy for staff training to make sure employees receive the knowledge and skills needed to handle security risks and protect network and information systems. Training and education must align with the organisation’s information system security policy, any topic-specific policies, and relevant procedures.

The policy may describe which roles require specific security skills and expertise. A structured training programme may be established to define what training employees need. Training should be specific to the employee’s job function, and the effectiveness of the programme should be evaluated regularly.

Cyber security training and education should be carried out regularly, documented, and adapted to the organisation’s overall measures. Your training programme may include:

  • instructions and training in common cyber hygiene practices, such as access control, updating devices, and password security,
  • regular updates on relevant threats, including attack methods and human vulnerabilities, which should be made relevant to employees’ roles,
  • training on how to handle an incident by using practical and scenario-based exercises based on the organisation’s risk assessment and measures,

Basic training should be given to new employees and to staff moving into roles with different security requirements.

Your top management is also required to take part in relevant cyber security courses and they should encourage similar training for other employees. Training for the management may include general courses on cyber security, workshops on managing cyber risks, certification programmes and international security standards, or the organisation’s own internal courses and seminars.

Documentation

The training programme should be updated and carried out regularly. The training should take into account current policies and rules, assigned roles and responsibilities, known threats, and technological developments.

GDPR Test

See how well you know the GDPR.

  • You'll answer 13 questions about GDPR.
  • It only takes 1-2 minutes.
  • Experts typically answer all 13 questions correctly.
Start Test

Free Trial

We will get back to you via email as soon as possible.